To prevent hacking, disable Universal Plug and Play now

Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack.

UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they're connected. But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7.

Over a five-and-a-half-month period last year, the researchers scanned every routable IPv4 address about once a week. They identified 81 million unique addresses that responded to standard UPnP discovery requests, even though the standard isn't supposed to communicate with devices that are outside a local network. Further scans revealed 17 million addresses exposed UPnP services built on the open standard known as SOAP, short for simple object access protocol. By broadcasting the service to the Internet at large, the devices can make it possible for attackers to bypass firewall protections.

"Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future," the Rapid7 white paper warned. "For this reason, Rapid7 strongly recommends disabling UPnP on all Internet-facing systems and replacing systems that do not provide the ability to disable this protocol."

In all, Rapid7 identified 6,900 products sold by 1,500 separate vendors that contained at least one UPnP vulnerability. Rapid7 CTO HD Moore told Ars home networks that connect UPnP-enabled devices are generally safe as long as the firewall included in the Internet-facing router is enabled and working properly. The problem is that many routers include vulnerable implementations of UPnP, in which case they provide an easy way for attackers to get around that protection.

"The main message for consumers is make sure your router is locked down," Moore said.

The wider range of devices in business networks and their increased susceptibility to attacks from insiders makes enterprises more vulnerable, he added. A few hours after the white paper was released, Moore said, his team discovered a popular device that modified firewalls to allow outside connections to the port it was running on. Rapid7 has released a free scanner for Windows users that identifies vulnerable network devices. Users of non-Windows computers can access the open-source Metasploit software framework to do the same thing.

The Rapid7 white paper came the same day Cisco Systems announced a fix for a vulnerability in a UPnP software development kit.

This is only a danger for people with no firewall / NAT or who allow other routers and switches to subnet directly into their LAN.

There are a number of articles describing how many UPnP capable routers don't check if an IP is internal before opening the ports. You can knock from the outside to open say, 3389 and scan through the typical LAN addresses to see if anyone is home.

http://www.upnp-hacks.org/igd.htmlSome stacks don't check if the NewInternalClient parameter is actually an IP address on the LAN. Those stacks make it possible to specify a routable IP address instead of a private LAN address. The firewall on the router will perform NAT on the incoming packets for the specified port and protocol and send it to whatever NewInternalClient specified. If this is an external IP address which is not on the LAN the packets will be sent there when someone connects to the router from the WAN. The router is effectively turned into an involuntary onion router, since nearly all devices have remote logging via syslog turned off by default and connections are hard to track this way.

My question, like those of others posting above, was "my gadget is on a network using an RFC 1918 address space, and behind a NAT router. Unless I've added port forwarding, how the hell would anyone from outside be able to talk to my printer?!?"

I found the answer in the Wikipedia article on UPnP: "Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client."

So, people build routers, on purpose, that silently expose internal devices to the Internet?!? AAaarrgghh! I s'pose those are for the "I just want it to work" crowd.

The lesson for the rest of us is to disable all UPnP capability in our routers. {sigh}

For anyone who doesn't want to read the 29 page article, the main thing they found was that routers were advertising UPnP SSDP (the directory that tells you what UPnP devices are available) service to the internet.

If it comes up as stealth, then your router doesn't have this problem. It doesn't mean UPnP services within your network aren't opening up other security holes, but it does mean your router isn't suffering from this problem.

Unfortunately they don't give you a good way to tell if your router is actually vulnerable or not, and I'm not keen on disabling what is a useful technology on the LAN if my router isn't actually vulnerable to the remote attack.

I tried the ScanNow tool mentioned in the paper, but it doesn't appear to do anything. (edit - Okay after an incredibly long wait, I did get a "do you want to run this?" prompt from Windows, after which it told me I need Java installed. Oh well.)

Anyway, unless someone has specifically gone into change the configuration, your standard home router shouldn't be forwarding this UPnP traffic from the net to your inside devices, unless your inside device had first sent related traffic outbound to make entries in the NAT tables. Without this outbound traffic being sent first, by default the router wouldn't know which inside (NAT) device to forward traffic to, and should just drop it (assuming, of course, that there isn't a DMZ configured, but again that is a non-default configuration. If a user is messing with these settings, for better or worse it is on them to understand the consequences).

Edit: On second read, I think I've still been a little unclear. My assertation is that there must be some routers out in the wild that are doing some inappropriate forwarding. I believe that the type of user messing with their DMZ settings isn't going to open up their printer, just as I generally believe that the home router, and not the home printer, is the device plugged into the DSL/Cable modem.

Rapid7 CTO HD Moore told Ars home networks that connect UPnP-enabled devices are generally safe as long as the firewall included in the Internet-facing router is enabled and working properly. The problem is that many routers include vulnerable implementations of UPnP, in which case they provide an easy way for attackers to get around that protection.

This is a false and misleading statement. Even a $50 firewall does not broadcast on the UPnP subnet over it's WAN port. Even if it did, I assure you every consumer ISP tosses packets on the 169.254.0.0 /16 network as soon as they hit a router, if only because of the immense crapload of useless traffic UPnP devices generate in probes.

This is only a danger for people with no firewall / NAT or who allow other routers and switches to subnet directly into their LAN.

Also, click-bait title is click-bait.

From the whitepaper (for the, but they scanned and found so many vulnerable IPs argument...):

Quote:

Given the high level of exposure and the potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled on all external-facing systems and devices providing a critical function.

This is only a danger for people with no firewall / NAT or who allow other routers and switches to subnet directly into their LAN.

There are a number of articles describing how many UPnP capable routers don't check if an IP is internal before opening the ports. You can knock from the outside to open say, 3389 and scan through the typical LAN addresses to see if anyone is home.

http://www.upnp-hacks.org/igd.htmlSome stacks don't check if the NewInternalClient parameter is actually an IP address on the LAN. Those stacks make it possible to specify a routable IP address instead of a private LAN address. The firewall on the router will perform NAT on the incoming packets for the specified port and protocol and send it to whatever NewInternalClient specified. If this is an external IP address which is not on the LAN the packets will be sent there when someone connects to the router from the WAN. The router is effectively turned into an involuntary onion router, since nearly all devices have remote logging via syslog turned off by default and connections are hard to track this way.

My question, like those of others posting above, was "my gadget is on a network using an RFC 1918 address space, and behind a NAT router. Unless I've added port forwarding, how the hell would anyone from outside be able to talk to my printer?!?"

I found the answer in the Wikipedia article on UPnP: "Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client."

So, people build routers, on purpose, that silently expose internal devices to the Internet?!? AAaarrgghh! I s'pose those are for the "I just want it to work" crowd.

The lesson for the rest of us is to disable all UPnP capability in our routers. {sigh}

So, people build routers, on purpose, that silently expose internal devices to the Internet?!?

It allows your torrent client or videogame to forward ports to itself automatically, for example, so it's not a bad thing for a router to support. Of course, the router only allows this from the inside. The only security concern would be a malicious application which deliberately opens ports for attacks, or has a bug which allows a malicious third-party to do the same.

UPnP is possibly the easiest way to exploit networks and computers alike, everyone knows physical access via plug n play is child's play. I'm not really sure why this is news, we've known this since its inception thanks to the lack of any authentication.

UPnP is designed for dummies. Its the result of giving up trying to educate consumers on setting up their hardware on a network. But what is really going to make this worse is the dummy proof setup apps router makers use for routers. A lot of consumers probably never have seen a router settings page. Nor do they have any ideal how to access it. All they know is they put a CD in the drawer of their PC. Made a few clicks and they have internet. The problem is with this inability to have consumers understand their technology. They have given no other choice to router makers and other hardware makers to make it easy but also makes it a security risk.

Who would have thought that a protocol designed to make devices automatically discover-able might wind up being dangerous?

Uh. Everybody in the business. We all thought it was a bad idea from a security standpoint.

Marketing had to have it though and MS drives easy user interfaces (until W8) which required that everybody and their uncle support it. I had several customers complain that I never enabled auto loading of CD/DVD content. Not true I would tell them. I actually disable it.

I recall some decade and change ago explaining why a particular milling machine shouldn't be connected to the internet. A milling machine for God's sake. Running NT.

UPnP is designed for dummies. Its the result of giving up trying to educate consumers on setting up their hardware on a network. But what is really going to make this worse is the dummy proof setup apps router makers use for routers. A lot of consumers probably never have seen a router settings page. Nor do they have any ideal how to access it. All they know is they put a CD in the drawer of their PC. Made a few clicks and they have internet. The problem is with this inability to have consumers understand their technology. They have given no other choice to router makers and other hardware makers to make it easy but also makes it a security risk.

For anyone who doesn't want to read the 29 page article, the main thing they found was that routers were advertising UPnP SSDP (the directory that tells you what UPnP devices are available) service to the internet.

If it comes up as stealth, then your router doesn't have this problem. It doesn't mean UPnP services within your network aren't opening up other security holes, but it does mean your router isn't suffering from this problem.

My question, like those of others posting above, was "my gadget is on a network using an RFC 1918 address space, and behind a NAT router. Unless I've added port forwarding, how the hell would anyone from outside be able to talk to my printer?!?"

I found the answer in the Wikipedia article on UPnP: "Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client."

So, people build routers, on purpose, that silently expose internal devices to the Internet?!? AAaarrgghh! I s'pose those are for the "I just want it to work" crowd.

The lesson for the rest of us is to disable all UPnP capability in our routers. {sigh}

It seems like the real problem is that some of these devices let an external connection configure the port mappings as if they were internal. It's not a major security risk that something already running on my computer can get port 48392 mapped back to itself to allow incoming connections (it's convenient not having to configure that for torrent clients and games).

It is one if some random computer anywhere can do something like that to me.

My Netgear router wasn't on the list but I turned off UPnP on it anyway.

I don't think I ever had occasion to use it except for this Sunday I tried to set up DynDNS but then said f--- it after a couple of hours and canceled the account. The router set-up for DynDNS says UPnP has to enabled for that to work which is way it was even turned on.

Just tried the grc.com link above and the site tests tell me I'm good to go.

I think we need to clarify for the laymen (including myself). I've configured network addressable printer manually, never used UPnP.

However, I've enabled UPnP under "Port Forwarding" for torrents rather than forwarding a port. I enabled "Inactive Rules Cleaning" and "Secure Mode" which states "when enabled, UPnP clients are allowed to add mappings only to their IP" This is still ok, right?

No, not old news. That's talking about disabling the service on Windows. This is a flaw in routers that aren't running Windows.

Exactly, but Steve's been saying for years that UPnP is a terrible idea in general. That was my thought when I first heard about it years ago, as well, and all client networks I set up have it disabled, as does my own. UPnP is "useful" only in that it saves those who don't know how to open ports form hassling with it. If you know how to do so, you probably should do so yourself if you care about security. I, for one, don't want anything opening network ports to the outside world in my router without a darned good reason and my consent.

Do I need to use the Net? of course. Do I want everything to auto-magically just work? Sure! Do I believe, based on decades of experience with computing, that this can be done securely? Nope.

I think we need to clarify for the laymen (including myself). I've configured network addressable printer manually, never used UPnP.

However, I've enabled UPnP under "Port Forwarding" for torrents rather than forwarding a port. This is still ok, right?

Depends on whether anything else within your network has opened external ports via UPnP. My router (a Netgear) tells me which ports have been opened via UPnP. I was surprised by the number of external ports which were opened (confirmed with an external port scan). I'd recommend running a similar check to make sure no other programs/devices are opening ports.